[e2e] How prevalent is Timestamp option and PAWS?

Tue May 27 07:17:09 PDT 2003

> Also, any statistics on No. of hosts using timestamp option as specified
> in RFC 1323

This was discussed on end2end back in March 2000, as a side-issue to
SACK deployment statistics.  Sally Floyd has kept the answers around at:

        http://www.icir.org/floyd/notes/sack_answers.txt

Here's an update to the statistics I offered then.

The simplified one sentence summary is that nearly all current server OSs
support RFC1323 by default, but the most common client OS does not have
it enabled by default for active opens, so we don't see TCP timestamp
in dynamic traces as much as we'd perhaps expect.

80.5% of 4.16 million IP addresses running public web servers will
respond with the TCP timestamp option.  These IP addresses are nearly
all of those in the Netcraft Web Server survey:

        http://news.netcraft.com/archives/web_server_survey.html

so this is a good world-wide measure of public web servers.  Back in
March 2000 the comparable share was 38.1% (from a smaller 115k random
sample of the survey).

Pretty well all current versions of popular server OSs now support
RFC1323 be default for passive opens, when SYN-ACK responding to SYNs
offering RFC1323 options.  Some older versions don't, explaining why
my result isn't near 100%.  NT4, which doesn't support RFC1323, is
still widely used.  FreeBSD version 3 to about 4.3 disabled RFC1323 by
default, and there are still sizable numbers of those in use.  Also some
middle-boxes, like HTTP load-balancers, disable RFC1323.  Compaq Tru64
does not seem to normally respond to TCP timestamp by default, although
it does respond to window scale.

However it seems that although Windows has supported RFC1323 for quite
some time (Windows 98/Me/2000/XP), it is disabled by default for active
opens (plain SYN); though on passive opens (SYN-ACK) it does respond to
RFC1323 options by default.  As Windows is the most popular client OS,
this leads to many TCP flows not using TCP timestamp.

To enable Windows RFC1323 for active opens the Tcp1323Opts registry value
needs to be set.  This is described in many places, including Microsoft's
"Windows 2000 TCP/IP Implementation Details" paper:

        http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/network/deploy/depovg/tcpip2k.asp

which says "the default behaviour is as follows: do not initiate options
but if requested provide them".  This seems to be the same for
Windows 2003 Server:

        http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/entserver/sag_TCPIP_ovr_newfeatures.asp

Here are my measurements in detail:

Date:                           April 2003

Unique IP addresses:            4163433

timestamp option:               3352161         80.51%
window scale option:            3363816         80.79%
both TS & WS options:           3313891         79.59%

Note these measurements aren't of dynamic flows of real traffic, but a
measurement of web server TCP option capabilities.  These numbers are for
connections from a single RFC1323 capable HTTP client to different web
server IP addresses.  The IP addresses are taken from the large-scale
Netcraft Web Server Survey, so this is a good approximation to public
web servers in general.  Because of the predominance of hosting however,
this sample significantly reflects the choices of web hosting companies.

        Richard
-- 
Richard Wendland                                richard at netcraft.com